Presentation is loading. Please wait.

Presentation is loading. Please wait.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

Published byMyrtle Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn."— Presentation transcript:

1

2 TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn

3 Topic: TDL3 Rootkit variant SANS NewsBites - Volume: XII, Issue: 70 (August 26, 27 & 30, 2010) TDL3 Rootkit, version 3.273 Combination of MBR rootkit, Rustock.C and old Tdss variants. Stealthiest in the world.

4 Rootkits Wikipedia – “A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications” High risk, 1-in-5 Windows machines. “Root” and “kit”

5 Rootkits Netsecurity.about.com – “A rootkit allows someone, either legitimate or malicious, to maintain command and control over a computer system, without the computer system user knowing about it” Typically 32-bit problems

6 Rootkits Rootkit are not really viruses Machine independent Remote access Anti-virus level access

7 Prevention Digital Signature check for rogue drivers “PatchGuard” prevents some changes to Windows kernel. Vista and Win7 do not allow Admin

8 TDL3 Rootkit Also known as Alureon rootkit More sophisticated Version 3.273 Targets 64-bit machines that were previously considered safer Spread through websites and exploit kits

9 TDL3 Rootkit Gains control during the boot sequence Alters Master Boot Record. This gets around the 1 st two preventions. Enacts a restart, which loads the altered MBR and catches process signals. Encrypted with ROR loop (rotate right).

10 TDL3 Rootkit Details Kernel code appears as raw bytes, passes security. TDL3 encodes and decodes files on the fly, so it can pass as being a piece of the kernel code. At startup, hunts for driver object. Overwrites 824 bytes, avoiding file size check Fake driver object, captures disk I/O, hunts for kernel32.dll Infection

11

12 TDL3 Rootkit Has a watchdog thread to prevent any change to the service registry key No one can get a handle to infected driver file(red flag) In Feb. it caused BSOD with MS10-015 update RVA(Relative Virutal Address) offsets of Windows kernel APIs modified and use them to find functions. On the update, the values were changed. After restart, the rootkit called an invalid address

13 TDL3 fights back While this caused a BSOD, it did bring notice to a potential problem TDL3 authors updated within hours that worked with the update. Process was called tdlcmd.dll or z00clicker.dll

14 TDL3 Rootkit First significant 64-bit rootkit Malware begets more malware Anti-virus lag Security chess match

15 Cited Sites http://www.guidingtech.com/4467/what-is-a- rootkit/ http://www.guidingtech.com/4467/what-is-a- rootkit/ http://www.prevx.com/blog/154/TDL-rootkit- x-goes-in-the-wild.html http://www.prevx.com/blog/154/TDL-rootkit- x-goes-in-the-wild.html http://www.prevx.com/blog/143/BSOD-after- MS-TDL-authors-apologize.html http://www.prevx.com/blog/143/BSOD-after- MS-TDL-authors-apologize.html http://www.prevx.com/blog/139/Tdss-rootkit- silently-owns-the-net.html

Download ppt "TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn."

Similar presentations

Vpn-info.com.

Vpn-info.com.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.

Week 5 IBS 520 Computer and Online Security. Cybercrime Online or Internet- based illegal acts What is a computer security risk? Computer crime Any illegal.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Protecting Your Computer & Your Information

Protecting Your Computer & Your Information
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Similar presentations

Ads by Google